Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rose.exe Or What ...need Urgent Help


  • Please log in to reply
4 replies to this topic

#1 nadeemasi

nadeemasi

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:04:43 PM

Posted 12 April 2007 - 09:51 AM

HI.....I am running Win Xp...few days back i came across a problem that i saw alien language on right click on my hard drives....then later on I could not browse them at all by opening them....I browsed the net...and found that it could be Rose.exe...I searhed for its removal tool but only found manual removal instructions ...which I followed...now I don;t know wether worm is still here or not but still i can not browse the hard disks....
I did
Showed hidden files
Searched the process ....rose.exe but found none
Run registry and searched for rose.exe found none
Deleted Autorun.inf, run.reg, systemdate.ini from all partitions
Disabled system restore
Run TrendMicro updated version....

But problem is still there....
Please help...what to do next?
Thanks

Moderator Edit: Moved topic to more appropriate forum. ~ Animal

Edited by Animal, 12 April 2007 - 12:26 PM.


BC AdBot (Login to Remove)

 


#2 jwinathome

jwinathome

  • Members
  • 1,360 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Atlanta, Georgia
  • Local time:05:43 PM

Posted 12 April 2007 - 10:13 AM

You should start a new thread in the security section with a HIJACKTHIS log for someone to help you remove the malware.

#3 jgweed

jgweed

  • Staff Emeritus
  • 28,473 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Chicago, Il.
  • Local time:04:43 PM

Posted 12 April 2007 - 10:17 AM

Please carefully read and follow the instructions in the HJT Preparation Guide, linked to below, then submit a log to our volunteer team of experts for them to analysis and work with you to get rid of any malware they find in the log data.

http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/

Regards,
John
Whereof one cannot speak, thereof one should be silent.

#4 dc3

dc3

    Bleeping Treehugger


  • Members
  • 30,391 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sierra Foothills of Northern Ca.
  • Local time:02:43 PM

Posted 12 April 2007 - 10:42 AM

Hi nadeemasi, and welcome to BC.

From what I've been able to find there usually is an error message that includes the name rose.exe, did you have a message associated with the problem?

Did you run any scans with anything other than the TrendMicro? Try downloading and running Asquared. The most effective way is in safe mode.

Family and loved ones will always be a priority in my daily life.  You never know when one will leave you.

 

 

 

 


#5 fozzie

fozzie

    aut viam inveniam aut faciam


  • Members
  • 3,516 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ossendrecht/The Netherlands
  • Local time:10:43 PM

Posted 12 April 2007 - 11:40 AM

This memory-resident worm propagates by listing all existing hard disk drives on the affected system and then dropping a copy of itself in the root folder of the found hard disk drives. It also drops the file, AUTORUN.INF, in the same location. This file ensures that the dropped copy of this worm is automatically executed at every system startup.

When executed, it drops a copy of itself as, rose.exe, in the root folder. It sets its file attributes to System, Read-only, and Hidden to avoid detection. It also drops several components and non-malicious files in certain folders.


This explains why you could not find it.

Please follow jgweed's instructions. Afgter you have posted a HJT Do not make any changes to your system since this will confuse the expert handling your log




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users